Application network appliance with built-in virtual directory interface

ABSTRACT

An application network appliance with a built-in virtual directory interface is described herein. According to one embodiment, a network element includes a virtual directory interface (VDI) coupled to multiple directory servers, and an authentication and authorization unit coupled to the VDI. In response to a packet of a network transaction received from a client over a first network for accessing a server of a datacenter over a second network, the authentication and authorization unit obtains user attributes from the directory servers via the VDI and performs authentication and authorization using the user attributes to determine whether a user of the client is eligible to access the server of the datacenter, where the network element operates as a security gateway to the datacenter. Other methods and apparatuses are also described.

RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional PatentApplication No. 60/966,649, filed Aug. 28, 2007, which is incorporatedby reference herein in its entirety.

FIELD OF THE INVENTION

The present invention relates generally to application networkappliances. More particularly, this invention relates to applicationnetwork appliances with built-in virtual directory interface.

BACKGROUND

The ability to connect information technology infrastructure reliably,cost-effectively and securely is of high importance for today's globalenterprises. To communicate with customers, clients, business partners,employees, etc., the Internet has proven to be more appropriate comparedto private communication networks. However, communication via theInternet, which typically uses TCP/IP (Transmission ControlProtocol/Internet Protocol), also increases the requirements for datasecurity. Network firewalls are one of the many examples of solutionsfor network security.

Enterprise Web Application Services build an important foundation forsuch client, customer, and employee communication. A very commonconfiguration for hosting such enterprise web Application Services isshown in FIG. 1. As shown in FIG. 1, an enterprise can offer webApplication Services to various clients and there are severalpossibilities for clients to connect to the servers depending on thelocation of the client relative to the servers' location. The serverswhich provide the Application Services are typically located in theenterprise's data center 1016 and are accessible, directly orindirectly, via World-Wide-Web (WWW) servers 1012. Sometimes enterprisesprovide access to the Application Services by making the applicationservers directly accessible by putting those application servers into aDemilitarized Zone (DMZ) 1011.

A client 1003 may connect via a Local Area Network (LAN) through theenterprise's intranet 1013. Another client 1004 may connect through aWireless LAN (WLAN) to the intranet 1013. Yet another client 1005 may belocated inside the enterprise's campus network 1015, which connects tothe enterprise's intranet 1013. An enterprise may have zero or morecampuses 1014 and 1015. Yet another client 1001 may connect through theInternet 1000, or a client 1002 may have a mobile connection to theInternet 1000. In any case to prevent illegitimate access to theenterprise's web Application Services, the “inside” of the enterprise'snetwork, the intranet 1013, is protected by having a network perimeter1010, which may comprise firewalls, associated network interconnect, andadditional resources “within” the perimeter network configured so as tobe broadly accessible to users on the “outside” of the enterprise.

Behind the perimeter 1010, access is granted to legitimate clientrequests only, while illegitimate access is rejected. The fundamentalsin determining whether an access request is legitimate or not are basedon the network reference model from the International Organization forStandardization (ISO). This ISO network reference model classifiesNetwork Services into seven layers.

Traditional security products generally assume the existence of atrusted intranet—locations where enterprises control their own LANs,switches and routers—which can be organized into or placed within sometype of security perimeter, to protect its resources from the un-trustedInternet. However, in today's business environment, enterprises nolonger enjoy the same level of trust and control of their intranets, asenterprises increasingly rely on contractors, partners, consultants,vendors, and visitors on-site for daily operation. As a result,enterprises are exposing internal resources to this wide set of clientswhose roles are also frequently changing. Thus, the network trustboundary, delineating inside and outside clients, is disappearing—aphenomenon referred to as “de-perimeterization”. In such an environment,protection of an enterprise's resources—such as its intellectualproperty, as well as mission-critical and operational systems—becomes ofcritical importance. Also, most security exploits easily traverseperimeter security, as enterprises typically let through email, web andany encrypted network traffic, such as Secure Sockets Layer (SSL),Simple Mail Transfer Protocol (SMTP) with Transport Layer Security(TLS), and authenticated Virtual Private Network (VPN) traffic, forexample via IP Security (IPSec). Traditional perimeter securityapproaches, for example firewalls, intrusion detection systems andintrusion prevention systems have little or no benefit at the perimeterin providing access control functions to the resources. They have becomemore attack mitigation mechanisms than access control mechanisms.Enterprises are coming to terms with the fact that a hardened perimeterstrategy is un-sustainable.

Traditional firewall or router access control lists cannot protectapplication resources from unauthorized access because networkparameters such as Internet Protocol (IP) addresses and IP port numbersno longer deterministically identify resources, nor identify users,clients, or applications accessing these resources. Network firewalltechnology was invented when enterprises had a limited set ofapplications such as Telnet, File Transfer Protocol (FTP), and Email,and its primary functions were to limit access to specific applicationsfrom the outside and to limit access by systems within the enterprise tospecific applications outside the firewall. Network layer parameterssuch as source, destination IP address and TCP or UDP port numbers weresufficient to identify the client and the operations the clientsintended to perform on a particular resource. However, with theproliferation of mobile devices and tunneled applications, the networklayer parameters are no longer useful to identify the client, theresource accessed, and the operation. Firewalls have evolved over thetime, embracing functions such as deep packet inspection and intrusiondetection/prevention, to handle application-level attacks, but the coreaccess control function remains the same.

In effect, de-perimeterization demands that access control functions arepositioned close to application resources and that a micro-perimeter isestablished in the heart of the data center by placing an identity-basedpolicy enforcement point in front of any application resource.Enterprise business drivers for such an enforcement point are the needfor rich and uniform protection of resources, business agility viaattribute-based, policy-driven provisioning, and regulatory compliance.Traditional server-centric authorization solutions providing role-basedauthorization often require custom code development, extensivecross-vendor testing whenever there is a version change (of theunderlying operating system, agent or application), and are costly anddifficult to maintain because of their proprietary nature. Also,traditional server-based network appliances—primarily focused onlow-bandwidth ISO Layer-4 to ISO Layer-7 perimeter services—areunsuitable for data center deployment, both in functional richness andin ISO Layer-7 performance.

Authorization or access control typically determines the allowed set ofactions by a legitimate client, possibly intercepting every access ofthe client to a resource in the system. Authentication is used inconjunction with authorization—authentication determines and verifiesthe basic identity of, for example, a user or a client process. Then,based on determining the user's or client's identity, an authorizationdecision can be appropriately made. Of course, if a client's or user'sidentity can not be verified, the authorization decision is quitesimple—deny access or authority to perform any action.

Typically, authentication is performed once every session, unlikeauthorization, which is performed for every client action. Granularauthorization is achieved by leveraging details of the identity such asattribute values, group membership, role assignment etc. Typically,Information Technology (IT) infrastructure implements access control inmany places and at different levels.

Traditionally, authentication and authorization is done inside theapplication, however because of the long cycle of development anddeployment in the process, not all applications have the same level ofsupport. Many applications have a basic form of authentication usinguser name and a secret password. Certain vendor-specific applicationssupport role-based authorization which is often vendor proprietary anddoes not interoperate well with implementations in anotherapplications—it creates multiple silos of applications within anenterprise network infrastructure. Role provisioning is oftenchallenging; without careful planning, enterprises often end up with thenumber of roles greater than the number of users, which eviscerates anypotential management efficiency gains. As a result, a large number ofapplications are left behind with no protection and with no support forauthentication or authorization. With de-perimeterization, enterprisesare seeing a need to protect these applications uniformly withnetwork-centric solutions that do not mandate modifying the application.

SUMMARY OF THE DESCRIPTION

An application network appliance with a built-in virtual directoryinterface is described herein. According to one embodiment, a networkelement includes a virtual directory interface (VDI) coupled to aplurality of directory servers, and an authentication and authorizationunit coupled to the VDI. In response to a packet of a networktransaction received from a client over a first network for accessing aserver of a datacenter over a second network, the authentication andauthorization unit is configured to obtain one or more user attributesfrom at least one of the directory server via the VDI. Theauthentication and authorization unit is configured to authenticateand/or authorize the packet based on at least the user attributes todetermine whether a user of the client is eligible to access the serverof the datacenter. The network element operates as a security gateway tothe datacenter and each client of the first network has to go throughthe security gateway in order to access a server of the second network.

Other features of the present invention will be apparent from theaccompanying drawings and from the detailed description which follows.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example and notlimitation in the figures of the accompanying drawings in which likereferences indicate similar elements.

FIG. 1 illustrates a typical corporate computer network connected to theInternet;

FIG. 2 illustrates the application of an application network appliance(ANA) as the APS according to one embodiment of the invention;

FIG. 3 is a network connected block diagram of an ANA according to oneembodiment of the invention;

FIG. 4 is a block diagram of a Virtual Directory Infrastructure systemfor Triangulated Authorization according to another embodiment of theinvention;

FIG. 5 is a block diagram of the APS combined with embedded PDP and PEP;

FIG. 6 is a block diagram of a system for Triangulated Authorization ofa first request according to one embodiment of the invention;

FIG. 7 is a flow diagram of a method for Triangulated Authorization of afirst request according to one embodiment of the invention;

FIG. 8 is a block diagram of a system for Triangulated Authorization ofa subsequent request according to one embodiment of the invention;

FIG. 9 is a flow diagram of a method for Triangulated Authorization of asubsequent request according to one embodiment of the invention;

FIG. 10 is a flow diagram which illustrates the HTTP protocol;

FIG. 11 is a block diagram which illustrates the CIFS protocol packet;

FIG. 12 is a block diagram which illustrates the application of theSQLnet protocol;

FIG. 13 is a block diagram of a system for Triangulated Authorization ofa first request using a Virtual Directory Infrastructure according toanother embodiment of the invention;

FIG. 14 is a flow diagram of a method for Triangulated Authorization ofa first request using a Virtual Directory Infrastructure according toanother embodiment of the invention;

FIG. 15 is a block diagram of a system for Triangulated Authorization ofa subsequent request using a Virtual Directory Infrastructure accordingto another embodiment of the invention;

FIG. 16 is a flow diagram of a method for Triangulated Authorization ofa subsequent request using a Virtual Directory Infrastructure accordingto another embodiment of the invention;

DETAILED DESCRIPTION

In the following description, numerous details are set forth to providea more thorough explanation of embodiments of the present invention. Itwill be apparent, however, to one skilled in the art, that embodimentsof the present invention may be practiced without these specificdetails. In other instances, well-known structures and devices are shownin block diagram form, rather than in detail, in order to avoidobscuring embodiments of the present invention.

Reference in the specification to “one embodiment” or “an embodiment”means that a particular feature, structure, or characteristic describedin connection with the embodiment is included in at least one embodimentof the invention. The appearances of the phrase “in one embodiment” invarious places in the specification do not necessarily all refer to thesame embodiment.

One aspect of the invention is to perform Triangulated Authorization asa means for network-centric, application-agnostic authorization andaccess control to certain Application Services. The concept ofTriangulated Authorization operates on policies, which can take intoaccount multiple aspects of clients, of the networking environment andof the applications and services requested by clients. PerformingTriangulated Authorization requires analysis of the ISO Layer-7application data, which can be transmitted via various protocols. Usinga LDTF in a multi-processing approach provides the compute power toperform such analysis efficiently. The concept of TriangulatedAuthorization can be enhanced by utilizing a Virtual DirectoryInfrastructure (VDI) to multiple directory stores. Further, because LDTFcan support virtualization, for example InfiniBand as the LDTF supportsso-called virtual lanes, the concept of Triangulated Authorization canalso be implemented in a virtualized manner. One physical ANA can thenbe used to serve multiple independent network domains thus increasingflexibility and reducing the cost and the complexity of access control.

One aspect of the invention is a Network Application Protection systemand method, for access control in a network environment by usingTriangulated Authorization based on user attributes, environmentattributes, and resource attributes to make rapid, reliable, and secureauthorization decisions, based on a number of factors, including userattributes, environment attributes, and subject attributes. Userattributes may include, among others: company department, role, projectassociation, seniority, citizenship. Environment attributes may include,among others: network access method, location, time and date. Subjectattributes may include, among others: protocol attributes, contentattributes, and resource attributes.

Overview

The approach described herein applies combinations of parallel,multi-processor computing technology with lossless, low-latency,high-bandwidth network fabric technology (also known as Lossless DataTransport Fabric, or LDTF) to form novel methods and systems for highperformance, high-reliability, high availability, and secure networkapplications. The various embodiments of the inventions described hereinenable the implementation of highly reliable, highly scalable solutionsfor enterprise networking such as, for example, the APS 2000 from FIG.2.

Multiple network Services are efficiently provided by terminatingtransport protocols centrally. As can be seen, any transport protocolcan be terminated centrally, each PDU's payload can be collected andconverted into a data stream and, vice versa, a data stream can beconverted into PDUs for any transport protocol and be transported viathe given transport protocol. A simple concatenation of the PDU payloadinto a byte-stream is not sufficient. Key to the conversion is thatstate information must be maintained about the meta-data of eachconnection. Such meta-data includes the session information, for examplevia a unique connection identification number, the transactioninformation, as well as the information regarding segments and packets.Finite state machines can be used to track the meta-data.

Transport protocols are protocols which are used to transportinformation via networks. These include, obviously, the ISO Layer-3protocols such as IPv4, IPv6, IPSec, the ISO Layer-4 protocols such asTCP, UDP, SCTP, the various ISO Layer-5 protocols such as FTP, HTTP,IMAP, SMTP, GTP, L2TP, PPTP, SOAP, SDP, RTSP, RTP, RTCP, RPC, SSH, TLS,DTLS, SSL, IPSec, and VPN protocols. However, other protocols andapproaches are contemplated within the scope of the inventions, whichserve as transport mechanisms for transmitting information andapplication data and can also be terminated in a centralized fashion bya protocol proxy and the corresponding PDUs can be transformed into adata stream for application layer processing. Examples of such are,CSIv2, CORBA, IIOP, DCOM and other Object Request Brokers (ORB), MPEG-TSor RTP as a transport for multi-media information, RTSP or SIP asanother transport for multi-media information, peer-to-peer transportmechanisms, transport mechanisms based on J2EE such as Java RMI,streaming media protocols such as VoIP, IPTV, etc.

For the sake of simplicity we will use the term Centralized TransportProtocol Termination throughout the rest of the description, however,this is for exemplary purposes only and is not intended to be limiting.Centralized Transport Protocol Termination can be performed by dedicatedprocessing units, and different ISO Layer-7 services can be performed inother dedicated processing units. The use of a lossless low-latencyhigh-bandwidth fabric for inter-process communication between suchdedicated processing units makes it possible to simultaneously supportCentralized Transport Protocol Termination for multiple services. Forexample, TCP can be terminated once, transformed into a data stream andthis data stream is transported from one dedicated processing unit toanother using the lossless low-latency high-bandwidth fabric. Thelow-latency nature of the fabric helps to reduce the overall latency inclient-to-server transactions.

In one embodiment, the Application Protection System (APS) 2000 is anetwork appliance that can act as a proxy between the client 2001 andthe application server 2005, and can determine whether a client 2001shall be granted access to certain applications 2005. In one example,the client 2001 is one or more of the clients 1001, 1002, 1003, 1004, or1005 of FIG. 1. In another example, the client 2001 can be a virtualmachine or a cluster of computers, or a server (for server-to-serverconnections, for example). The application server 2005 can be, forexample, without limitation, one or more file servers, one or more webservers, one or more database servers, one or more compute servers, oneor more storage servers or one or more game servers. The decisionwhether access is granted or rejected involves an Identity ManagementServer 2003 to identify the user, client, or application, for exampleusing Lightweight Directory Access Protocol (LDAP) or Active Directory(AD), and is the result of querying a Policy Server 2002 to analyze theaccess policy for the requested application 2005.

The APS 2000 may use a Triangulated Authorization method which, forexample, is based on multiple aspects of a client (such as the client2001), the requested application (such as application 2005) and certainnetwork characteristics: Who—a client (a user or a machine) and itsassociated attributes such as department, role, project association,seniority, citizenship, etc; Where—network and environment attributessuch as access methods (wire-line/wireless/VPN), location (e.g., USA,Switzerland, China) and time; What—on-the-wire session attributes,including protocol and content/resource attributes. The outcome of thisTriangulated Authorization method can be used to determine whetheraccess to an application is granted or rejected. Optionally, aSingle-Sign-On (SSO) server such as server 2004 may be involved thatallows the client 2001 to obtain authorization for accessing multipleapplications at once.

One embodiment of the invention acts as a proxy between one or moreclients and one or more application servers to control the access of theone or more clients to the one or more applications. This is described,for example, in FIG. 2, where the APS 2000 controls access of client2001 to application server 2005. Thereby the approach can act as ahigh-speed, full proxy which terminates both client-side and server-sidetransport protocol connections, and which behaves as a virtual server tothe one or more clients, and as a virtual client to the one or moreservers. The proxy function is required because of the need toreassemble PDUs into data streams and (where needed) to decrypt thepayload data for inspection such as access control. The proxy functioninvolves ISO Layer-2 to ISO Layer-5 processing such as CentralizedTransport Protocol Termination.

FIG. 3 is a block diagram illustrating an example of application serviceappliance system according to one embodiment of the invention. Referringto FIG. 3, ANA 2100 acts as a proxy between a client 2104 and anapplication server 2105. The client 2104 is connected to the ANA 2100via a network 2107. Network 2107 can, for example, be a LAN, a WAN, aWLAN, an intranet, or the Internet. The application server 2105 isconnected to the ANA 2100 via network 2106. Network 2106 can, forexample, be a LAN, a WAN, a WLAN, an intranet, or the Internet. Networks2106-2107 may be the same network or different networks. While it isapparent that multiple clients and multiple application servers may beconnected to the ANA 2100, for the sake of simplicity a single client,single application server case is used as a placeholder throughout.Incoming connections, for example, a request from the client 2104 isterminated in the NSM 2103 and is transformed into a data stream. Thisis done by PDU processing and reassembling the payload of the PDU into adata stream of ISO Layer-7 application data. This data stream istransported via LDTF 2102 to the ASM 2101 for further ISO Layer-7processing. LDTF 2102 may be an RDMA or IB compatible fabric. The resultof ISO Layer-7 processing done by ASM 2101 is then transportedback—still as a data stream—via the LDTF 2102 to the NSM 2103. The NSM2103 then transforms the data stream into PDUs and sends the PDUs to theapplication server 2105 via the appropriate transport protocol.Connections which originate from the application server 2105 can behandled similarly. Using this novel approach, both processing domainscan be scaled independent of each other and a well-balanced system canbe achieved at reasonable costs.

The novel approach described herein, which in one embodiment of theinvention is the APS 2000 of FIG. 2, provides attribute-basedauthorization based on Triangulated Identity (for example, based onuser, network/environment, protocol and content/resource attributes) tocontrol access to application resources. Both policy decision point(PDP) and policy enforcement point (PEP) are centralized in the networkto provide a policy-driven, standards-based and granular authorizationenforcement that is non-invasive to applications. It complements networkaccess control in that network access control protects the network viaclient-side (in-building) deployment whereas the APS 2000 can be used toprotect applications for both client-to-server and server-to-serversessions via data center-side deployment. Network access control ensuresonly that the proper client with appropriate host integrity gets accessto the network, where as the APS 2000 of this approach ensures that theclient is restricted to legitimate use once he/she is on the network.Thus a client (a user or machine) having access to a given LAN no longergets automatic access to LAN applications unless explicitly authorized.The novel approach described herein leverages existing enterpriseidentity management and policy definition infrastructure throughstandards-based protocols (e.g. via LDAP/AD, XACML, SAML/Kerberos). Inorder to apply the authorization policy to any connection/session, it isessential to identify the client originating that connection.

As described in detail in this disclosure, there are many embodiments ofthe invention that can be used to identify a client and to grant orreject authorization. In one embodiment of the invention, as an ANA itcan be used to act as an authentication proxy for web (HTTP, forexample) and file (CIFS, for example) protocols. For example, in case ofa not-yet-authorized, or a known illegitimate HTTP request, the APS 2000could send an HTTP 401 status response to a client requesting the clientto provide its credentials. In another embodiment of the invention, theAPS 2000 together with Windows Single-Sign-On can provide a seamless enduser login experience in active directory (AD) environments. In yetanother embodiment of the invention, the APS 2000 can interact with anetwork gateway and provide the username credentials for seamless userlogin.

Various other embodiments of the invention can be used as an LDAP Proxy,for snooping of AD/RADIUS transactions, etc. In all these cases, thisapproach may maintain an IP address to user-id mapping, though suchmapping cannot be solely relied on, because of the possibility of sourceIP address spoofing. When the Transparent Secure Transport functionalityof this approach is enabled, IP spoofing can be made impossible—a majorsecurity benefit that no other approach known in the art cansupport—because integrity of the packet is checked making sure that theappropriate client is guaranteed to have generated the given IP packet.

In one embodiment of the invention, for example as the APS 2000 of FIG.2, the approach comprises techniques to utilize Virtual DirectoryInfrastructure. The Virtual Directory Infrastructure concepts of thisapproach are illustrated in FIG. 4. The Virtual Directory Infrastructure4900 hides the complexity of the different protocols and the differentformats by providing a common interface, for example the LDAP interface4901, on one end and translating to the native protocols and formats ofvarious identity stores, for example of identity store 4905 and identitystore 4906, on the other end. The translation is done via specialconnectors, for example a Directory Connector 4902, or a DatabaseConnector 4903. Providing this abstraction also helps to integrateemerging formats of identity stores into an enterprise network solution.When a new kind of identity store, for example, the Flat file IdentityStore 4907 with a new format needs to be integrated, the VirtualDirectory Infrastructure 4900 can be extended by adding a new connector(in this case the Flat file Connector 4904) which translates to theprotocol of the new identity store.

Virtual Directory Infrastructure can provide real-time access to theexisting identity stores without moving the data out of the originalrepository. Real-time access permits the data in the underlying storesto be quickly accessed, without requiring batch conversions of therepository data in advance. This has the advantage of maintaining theconsistent identity information i.e., the modifications done in theidentity store will take effect immediately. However, if the informationchanges rarely, then the Virtual Directory Infrastructure could beconfigured to cache the identity information so that it does not need toread from the identity store each time a request is made, and hence itcan avoid the costly operation of translating between LDAP requests andthe native protocols used by the identity repositories. The VirtualDirectory Infrastructure can act as a single access point for retrievingor updating data in multiple data repositories. For example, the VirtualDirectory Infrastructure can logically represent information from anumber of disparate directories, databases, and other data repositoriesin a virtual directory tree. Various users and applications can getdifferent views of the information, based on their access rights, whichhelps to control who can access/modify which identity information. TheVirtual Directory Infrastructure can also provide multitude of otherfeatures as described below:

Dynamic Join: One of the main tasks of Virtual Directory Infrastructureis to act as a single access point where information from a large numberof identity repositories need to be retrieved. Many times, there is noone-to-one correspondence between the information needed and the amountof information stored in the back-end repositories. A common situationis that the information is scattered over several data repositories. Itis desirable therefore to dynamically join data sets from severalrepositories before the result is returned. The Virtual DirectoryInfrastructure can provide such a Dynamic Join function.

Multi-Search: In the case of Multi-Search, Virtual DirectoryInfrastructure submits the search request to all (or to a definedsubset) of the available repositories. The Virtual DirectoryInfrastructure can have the capability to either return the first matchfound, or all the matching entries from all defined repositories.

Schema adaptations: Virtual Directory Infrastructure can overcome theschema differences between the incoming requests and the data sources bymapping the attribute names in the back-end data sources to theattribute names used in the incoming LDAP requests.

Attribute value modification: In many cases it may be necessary tochange the actual attribute value being returned in the response. Forexample, changing the sequence of the surname and given name in thecommon name. The Virtual Directory Infrastructure can provide suchattribute value modification.

Triangulated Authorization

In one embodiment of the invention, the APS 2000 in FIG. 2 is used toperform attribute-based Triangulated Authorization services. In anotherembodiment of the invention, the ISO Layer-7 authorization server 4740and/or 4710 of FIG. 5 is used for performing attribute-basedTriangulated Authorization services for a subject 4741 which requestsaccess to a resource 4714 hosted on an application server 4710.Attribute-based Triangulated Authorization complements existingapproaches for access control known in the art via a network-centric,application-agnostic applications access control based on a TriangulatedIdentity. The Triangulated Identity can comprise protocol and contentattributes, such as protocol and content attributes 4742 from FIG. 5,and thus extend the common identification concepts known in the artwhich almost solely rely on ISO Layer-4 attributes. The TriangulatedIdentity comprises three areas of identification:

-   -   User Attributes relate to attributes for identifying the user        and client system itself. Those attributes can be, for example,        the user name, the account name, an account number, a user        identification token, a client machine identification, a unique        Media Access Control (MAC) layer address, a client machine        computer name, a unique client network interface serial number,        personal identification tokens, fingerprint data, as well as        attributes associated with the client, such as the work        department, the client's role in the organization (for example,        consultant, officer, engineer, maintenance staff, etc.), the        association with certain projects (for example, the SOX        compliance project, or the West Coast Open Source Design        Project), the users' seniority, the user's current level of        training, the user's citizenship, the user's security clearance,        etc.    -   Environment Attributes relate to attributes for identifying the        location of the client in the enterprise's network, such as        source IP addresses or ports, destination IP addresses or ports,        protocol numbers, other ISO Layer-2 to ISO Layer-5 attributes,        network environment attributes, network access method used such        as LAN access, WLAN access, Wi-Fi access, mobile access, mobile        phone access (for example, via WAP, GPRS, UMTS), dial-up access,        VPN access, as well as the physical location attributes of the        client such as the country (for example, USA, China, India,        Denmark) or the city (for example, Paris, London, Sunnyvale),        the client is in, or other aspects of the location such as the        vicinity (for example, inside a museum, inside a particular        coffee-shop), as well as date and time, as well as the current        threat level, emergency/weather alarm, or network security        classification.    -   Protocol and Content Attributes relate to on-the-wire session        attributes, such as protocol attributes (for example, for HTTP        or HTTPS—methods and parameters, FTP, SSH, Telnet, RDP), as well        as file-based protocol attributes (for example, for CIFS),        content attributes (for example, URL fields, web cookies, MIME        types, file names), or resource attributes (for example, for        JDBC/SQL data, J2EE/EJB methods and parameters).    -   Machine Attributes relate to a machine or a peripheral (e.g.        printer, phone, server) model number and software image        types/versions, etc.

The Triangulated Authorization can complement and even co-operate withother existing approaches for authorization and authentication, forexample, to form a multi-stage authorization solution: In a first stage,classical ISO Layer-3-based and/or ISO Layer-4-based authorization canbe done, for example, using a classical firewall. Requests that passthis first stage then get processed by a second stage authorization. Inthis second stage, the appropriate APS performs TriangulatedAuthorization based on ISO Layer-7 Application Service data. If therequest passes this second stage, it will get handled by a third stage.This third stage can, for example, be another APS—in a multi-APS and/orin a multi-ANA architecture, or it can be handled by classicalapplication-centric authorization methods.

Besides cascaded operation, the APS can perform TriangulatedAuthorization in combination with embedded PDP and embedded PEP and,optionally, with external PDP. In one example, as shown in FIG. 5 asubject 4741 requests access to a resource 4714 which is provided byapplication server 4710. In a first authorization stage, the APS 4740performs Triangulated Authorization using its own internal PEP 4743 andits own internal PDP 4745. This PDP 4745 operates on the TriangulatedIdentity which can rely on protocol and content attributes 4742, forexample. The APS 4740 can, optionally, also interact with anotherexternal PDP, such as PDP 4725, which is served by a policy server 4726and which operates on the user attributes 4722. When the APS 4740 grantssubject 4741 access to resource 4714 a secondary authorization, thistime embedded in the application server 4710, can be performed. Variouspossibilities exist, for example, the application server 4710 can haveits own embedded PEP 4713 and its own embedded PDP 4715. The embeddedPDP 4715 can operate on user attributes 4712 to make an access controldecision. Or, PDP 4715 can operate on user attributes 4722, for examplevia a Virtual Directory Infrastructure. In another example, theapplication server 4710 has no embedded PDP 4715 and instead interactswith the PDP 4745 from the APS 4740, or with the PDP 4725 from policyserver 4726, or both. In yet another example, the application server4710 has no embedded PEP 4713 and instead utilizes the PEP 4743 from theAPS 4740 for access control.

In one of the embodiments of one of these inventions, policies are usedin a rule-based authorization method to define sets of rules forauthorization permissions. Rules are expressions or conditions onmultiple, arbitrary attributes which evaluate to TRUE or FALSE anddetermine whether access shall be granted or rejected. Policies arestored in a PDP, for example, PDP 4735, which can be, for example,LDAP/AD. Also, policies can interact with single-sign-on assertions fromSAML, or Kerberos. The policies can be described in various formatsincluding common scripting languages such as TCL, Python, or Perl.Policies can also be described in industry standard formats such asXACML or in proprietary formats, or combinations thereof.

FIGS. 6-7 show how one embodiment of the invention can performTriangulated Authorization when a client issues a first request. A user4750, which can be, for example, client 1001 of FIG. 1, or client 2001of FIG. 2, connects to the ANA 4760, which can be, for example, the APS2000 of FIG. 2, or any appropriate authorization approach contemplatedby one of ordinary skill in the art. In a first step 4751, the user 4750issues for the first time a request to login (for example, to accesscertain resources) on application server 4762; ISO Layer-7 proxy 4766terminates the transport protocol connection from the user 4750 and actsas a proxy for application server 4762 as described above. In a secondstep 4752, the ANA 4760 then authenticates the user via access to adirectory service 4764. In a third step 4753, the directory service 4764obtains user attributes from the multiple identity data stores 4761. Ina fourth step 4754, the obtained user attributes get cached in thesession record table 4763. In a fifth step 4755, the ANA 4760 finds therelevant policy and makes a policy-based access decision based on theuser or other attributes, obtained, for example, via ISO Layer-7 serviceprocessing using the rule engine 4765 as described above. In a sixthstep 4756, the ISO Layer-7 proxy 4766 forwards the request from user4750 to the application server 4762, if and only if permitted by thepolicy. In a seventh step 4757, the ISO Layer-7 proxy 4766 proxies theresponse from the application server 4762 and forwards the server'sresponse, together with a session cookie, back to the user 4750. Theorder of the above steps is exemplary only, and is not intended to belimiting.

FIGS. 8-9 show how an embodiment of the invention performs TriangulatedAuthorization when a client issues a subsequent request. The user 4750connects to the ANA 4760. In a first step 4781, the user 4750 issues asubsequent request to login (for example, to again access certainresources) on application server 4762; ISO Layer-7 proxy 4766 terminatesthe transport protocol connection from the user 4750 and acts as a proxyfor application server 4762 as described above. In a second step 4782,the session cookie embedded within the user's subsequent request isvalidated against the session record in the session record table 4763.In a third step 4783, the ANA 4760 finds the relevant policy and makes apolicy-based access decision based on the user or other attributes,obtained, for example, via ISO Layer-7 service processing using the ruleengine 4765 as described above. In a fourth step 4784, the ISO Layer-7proxy forwards the request from user 4750 to the application server4762, if and only if permitted by the policy. In a fifth step 4755, theISO Layer-7 proxy proxies the response from the application server 4762and forwards the server's response, together with a session cookie, backto the user 4750. The order of the above steps is exemplary only, and isnot intended to be limiting.

Virtual Directory Infrastructure

A Virtual Directory Infrastructure hides the complexity of the differentprotocols and the different formats of identity stores and can providereal-time access to the existing identity stores without moving the dataout of the original repository. The Virtual Directory Infrastructure canbe used in conjunction with Triangulated Authorization. FIG. 13 and

FIG. 14 show how one embodiment of the invention can performTriangulated Authorization when a client issues a first request andVirtual Directory Infrastructure is utilized. A user 4750, which can be,for example, client 2001 of FIG. 2, connects to the ANA 4760, which canbe, for example, the APS 2000 of FIG. 2. In a first step 4751, the user4750 issues for the first time a request to login (for example, toaccess certain resources) on application server 4762; ISO Layer-7 proxy4766 terminates the transport protocol connection from the user 4750 andacts as a proxy for application server 4762 as described above. In asecond step 4752, the ANA 4760 then authenticates the user via access toVirtual Directory Infrastructure 4768. This Virtual DirectoryInfrastructure can, for example, be Virtual Directory Infrastructure4900 of FIG. 4. In a third step 4753, the Virtual DirectoryInfrastructure 4768 obtains user attributes from the multiple identitydata stores 4761 and 4767. In a fourth step 4754, the obtained userattributes get cached in the session record table 4763. In a fifth step4755, the ANA 4760 finds the relevant policy and makes a policy-basedaccess decision based on the user or other attributes, obtained, forexample, via ISO Layer-7 service processing using the rule engine 4765as described above. In a sixth step 4756, the ISO Layer-7 proxy 4766forwards the request from user 4750 to the application server 4762, ifand only if permitted by the policy. In a seventh step 4757, the ISOLayer-7 proxy 4766 proxies the response from the application server 4762and forwards the server's response, together with a session cookie, backto the user 4750. The order of the above steps is exemplary only, and isnot intended to be limiting.

FIGS. 15-16 show how an embodiment of the invention can performTriangulated Authorization when a client issues a subsequent request.The user 4750 connects to the ANA 4760. In a first step 4781, the user4750 issues a subsequent request to login (for example, to again accesscertain resources) on application server 4762; ISO Layer-7 proxy 4766terminates the transport protocol connection from the user 4750 and actsas a proxy for application server 4762 as described above. In a secondstep 4782, the session cookie embedded within the user's subsequentrequest is validated against the session record in the session recordtable 4763. In a third step 4783, the ANA 4760 finds the relevant policyand makes a policy-based access decision based on the user or otherattributes, obtained, for example, via ISO Layer-7 service processingusing the rule engine 4765 as described above. In a fourth step 4784,the ISO Layer-7 proxy 4766 forwards the request from user 4750 to theapplication server 4762, if and only if permitted by the policy. In afifth step 4755, the ISO Layer-7 proxy 4766 proxies the response fromthe application server 4762 and forwards the server's response, togetherwith a session cookie, back to the user 4750. The order of the abovesteps is exemplary only, and is not intended to be limiting.

Some portions of the preceding detailed descriptions have been presentedin terms of algorithms and symbolic representations of operations ondata bits within a computer memory. These algorithmic descriptions andrepresentations are the ways used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of operations leading to adesired result. The operations are those requiring physicalmanipulations of physical quantities. Usually, though not necessarily,these quantities take the form of electrical or magnetic signals capableof being stored, transferred, combined, compared, and otherwisemanipulated. It has proven convenient at times, principally for reasonsof common usage, to refer to these signals as bits, values, elements,symbols, characters, terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the above discussion, itis appreciated that throughout the description, discussions utilizingterms such as “processing” or “computing” or “calculating” or“determining” or “displaying” or the like, refer to the action andprocesses of a computer system, or similar electronic computing device,that manipulates and transforms data represented as physical(electronic) quantities within the computer system's registers andmemories into other data similarly represented as physical quantitieswithin the computer system memories or registers or other suchinformation storage, transmission or display devices.

Embodiments of the present invention also relate to an apparatus forperforming the operations herein. This apparatus may be speciallyconstructed for the required purposes, or it may comprise ageneral-purpose computer selectively activated or reconfigured by acomputer program stored in the computer. Such a computer program may bestored in a computer readable storage medium, such as, but is notlimited to, any type of disk including floppy disks, optical disks,CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), randomaccess memories (RAMs), erasable programmable ROMs (EPROMs),electrically erasable programmable ROMs (EEPROMs), magnetic or opticalcards, or any type of media suitable for storing electronicinstructions, and each coupled to a computer system bus.

The algorithms and displays presented herein are not inherently relatedto any particular computer or other apparatus. Various general-purposesystems may be used with programs in accordance with the teachingsherein, or it may prove convenient to construct more specializedapparatus to perform the required method operations. The requiredstructure for a variety of these systems will appear from thedescription below. In addition, embodiments of the present invention arenot described with reference to any particular programming language. Itwill be appreciated that a variety of programming languages may be usedto implement the teachings of embodiments of the invention as describedherein.

A machine-readable medium may include any mechanism for storing ortransmitting information in a form readable by a machine (e.g., acomputer). For example, a machine-readable medium includes read onlymemory (“ROM”); random access memory (“RAM”); magnetic disk storagemedia; optical storage media; flash memory devices; electrical, optical,acoustical or other form of propagated signals (e.g., carrier waves,infrared signals, digital signals, etc.); etc.

In the foregoing specification, embodiments of the invention have beendescribed with reference to specific exemplary embodiments thereof. Itwill be evident that various modifications may be made thereto withoutdeparting from the broader spirit and scope of the invention as setforth in the following claims. The specification and drawings are,accordingly, to be regarded in an illustrative sense rather than arestrictive sense.

1. A method performed by a network element, the method comprising:receiving at a network element a packet of a network transaction from aclient requesting accessing a server of a datacenter having a pluralityof servers, the network element operating as a security gateway to thedatacenter; in response to the packet, obtaining user attributesassociated with a user of the network transaction from a plurality ofdirectory servers via a virtual directory interface (VDI), wherein theVDI is embedded within the network element; and authenticating andauthorizing the user of network transaction using at least the userattributes obtained via the VDI to determine whether the user iseligible to access the server of the datacenter.
 2. The method of claim1, wherein the VDI is configured to access the directory servers via aconverged datacenter fabric without having to use a TCP connection. 3.The method of claim 2, wherein the VDI is configured to provide a commoninterface to retrieve the user attributes from a plurality of identitystores located in the directory servers which require differentprotocols to access the identity stores.
 4. The method of claim 3,wherein the VDI is configured to provide a single VDI view representingall user attributes that are associated with the user retrieved from theidentity stores.
 5. The method of claim 1, wherein the authenticationand authorization is a part of layer 5 to layer 7 (layer 5-7) servicesperformed within the network element.
 6. The method of claim 1, whereinthe user attributes comprise at least one of a department of anenterprise associated with the user, a role of the user within theenterprise, a project in which the user is a member, a seniority of theuser within the enterprise, and a citizenship of the user.
 7. The methodof claim 1, wherein authenticating and authorizing the user furthercomprises authenticating and authorizing using environment attributesand subject attributes, wherein the environment attributes comprise atleast one of network access methods, a location associated with theclient, and a time and date associated with the network transaction,threat condition and emergency/weather alarm, wherein the subjectattributes comprise at least one of protocol attributes, contentattributes, resource attributes, and data attributes, and wherein theauthentication and authorization are performed further using machineattributes including at least one of model identifier of a device andsoftware image type and/or version.
 8. The method of claim 4, whereinthe VDI is configured to dynamically join different data sets obtainedfrom different identity stores to provide the single VDI view, whereinthe VDI is configured to consolidate different schemas associated withthe different identity stores by mapping attribute names of the identitystores with attribute names obtained from the packet of the networktransaction.
 9. A machine-readable medium having instructions storedtherein, which when executed by a machine, cause the machine to performa method, the method comprising: receiving at a network element a packetof a network transaction from a client requesting accessing a server ofa datacenter having a plurality of servers, the network elementoperating as a security gateway to the datacenter; in response to thepacket, obtaining user attributes associated with a user of the networktransaction from a plurality of directory servers via a virtualdirectory interface (VDI), wherein the VDI is embedded within thenetwork element; and authenticating and authorizing the user of networktransaction using at least the user attributes obtained via the VDI todetermine whether the user is eligible to access the server of thedatacenter.
 10. The machine-readable medium of claim 9, wherein the VDIis configured to access the directory servers via a converged datacenterfabric without having to use a TCP connection.
 11. The machine-readablemedium of claim 10, wherein the VDI is configured to provide a commoninterface to retrieve the user attributes from a plurality of identitystores located in the directory servers which require differentprotocols to access the identity stores.
 12. The machine-readable mediumof claim 11, wherein the VDI is configured to provide a single VDI viewrepresenting all user attributes that are associated with the userretrieved from the identity stores.
 13. The machine-readable medium ofclaim 9, wherein the authentication and authorization is a part of layer5 to layer 7 (layer 5-7) services performed within the network element.14. The machine-readable medium of claim 9, wherein the user attributescomprise at least one of a department of an enterprise associated withthe user, a role of the user within the enterprise, a project in whichthe user is a member, a seniority of the user within the enterprise, anda citizenship of the user.
 15. The machine-readable medium of claim 9,wherein authenticating and authorizing the user further comprisesauthenticating and authorizing using environment attributes and subjectattributes, wherein the environment attributes comprise at least one ofnetwork access methods, a location associated with the client, and atime and date associated with the network transaction, threat conditionand emergency/weather alarm, wherein the subject attributes comprise atleast one of protocol attributes, content attributes, resourceattributes, and data attributes, and wherein the authentication andauthorization are performed further using machine attributes includingat least one of model identifier of a device and software image typeand/or version.
 16. The machine-readable medium of claim 12, wherein theVDI is configured to dynamically join different data sets obtained fromdifferent identity stores to provide the single VDI view, wherein theVDI is configured to consolidate different schemas associated with thedifferent identity stores by mapping attribute names of the identitystores with attribute names obtained from the packet of the networktransaction.
 17. A network element, comprising: a virtual directoryinterface (VDI) coupled to a plurality of directory servers; and anauthentication and authorization unit coupled to the VDI, wherein inresponse to a packet of a network transaction received from a clientover a first network for accessing a server of a datacenter over asecond network, the authentication and authorization unit is configuredto obtain one or more user attributes from at least one of the directoryserver via the VDI, wherein the authentication and authorization unit isconfigured to authenticate and/or authorize the packet based on at leastthe user attributes to determine whether a user of the client iseligible to access the server of the datacenter, and wherein the networkelement operates as a security gateway to the datacenter and each clientof the first network has to go through the security gateway in order toaccess a server of the second network.
 18. The network element of claim17, wherein the VDI is configured to access the directory servers via aconverged datacenter fabric without having to use a TCP connection. 19.The network element of claim 18, wherein the VDI is configured toprovide a common interface to retrieve the user attributes from aplurality of identity stores located in the directory servers whichrequire different protocols to access the identity stores.
 20. Thenetwork element of claim 19, wherein the VDI is configured to provide asingle VDI view representing all user attributes that are associatedwith the user retrieved from the identity stores.
 21. The networkelement of claim 17, wherein the authentication and authorization is apart of layer 5 to layer 7 (layer 5-7) services performed within thenetwork element.
 22. The network element of claim 17, wherein the userattributes comprise at least one of a department of an enterpriseassociated with the user, a role of the user within the enterprise, aproject in which the user is a member, a seniority of the user withinthe enterprise, and a citizenship of the user.
 23. The network elementof claim 17, wherein authenticating and authorizing the user furthercomprises authenticating and authorizing using environment attributesand subject attributes, wherein the environment attributes comprise atleast one of network access methods, a location associated with theclient, and a time and date associated with the network transaction,threat condition and emergency/weather alarm, wherein the subjectattributes comprise at least one of protocol attributes, contentattributes, resource attributes, and data attributes, and wherein theauthentication and authorization are performed further using machineattributes including at least one of model identifier of a device andsoftware image type and/or version.
 24. The network element of claim 20,wherein the VDI is configured to dynamically join different data setsobtained from different identity stores to provide the single VDI view,wherein the VDI is configured to consolidate different schemasassociated with the different identity stores by mapping attribute namesof the identity stores with attribute names obtained from the packet ofthe network transaction.